Information Systems:

Agencies Overlook Security Controls During Development

IMTEC-88-11: Published: May 31, 1988. Publicly Released: May 31, 1988.

Additional Materials:

Contact:

Jack L. Brock, Jr
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed federal civilian agencies' practices for incorporating security controls during the development of automated systems for sensitive information.

GAO found that the National Bureau of Standards (NBS), the Office of Management and Budget (OMB), and the General Services Administration issued considerable but general guidance for agencies to follow in incorporating security controls during systems development. GAO also found that agencies did not adequately: (1) determine their systems' security needs; (2) assess threats, vulnerabilities, and risks to their systems; (3) identify alternative system security approaches or compare their feasibility, costs, or benefits; (4) analyze potential risks for their specific system concepts; (5) define the sensitivity of their information; (6) define security requirements to permit implementation of appropriate controls; or (7) develop security test plans.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Like NIST, the Committee supports the OMB status quo. The Committee, realizing that there must be a period of time allowed for public comments on guidance and that OMB is involved with the approval process of computer security plans, recognizes that it will take several years for OMB to satisfy the Computer Security Act's requirements, thereby implementing this recommendation.

    Recommendation: The Office of Management and Budget should, consistent with its broad authority under the Paperwork Reduction Act, revise its existing policies and guidelines to ensure appropriate management involvement in security-related decisions governing the development of sensitive information systems.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: The Department of Commerce has developed a policy for including adequate security controls in the system development process in its Methodology for Certifying Sensitive Computer Applications and has been disseminated to all Commerce organizational units. Commerce, as a continuing effort, is actively monitoring its organizational units of various federal and Commerce policies.

    Recommendation: The International Trade Administration (ITA) should evaluate their current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. ITA may find the forthcoming NBS Special Publication 500-153 useful in this analysis. ITA should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of agency information security plans required by the Computer Security Act of 1987.

    Agency Affected: Department of Commerce: International Trade Administration

  3. Status: Closed - Implemented

    Comments: As of May 9, 1989, INS had identified its sensitive information systems and developed associated security plans, which will be provided to OMB for approval. The Committee staff views INS actions as a seriously positive effort and will track the agency's compliance with the Computer Security Act, satisfying this recommendation.

    Recommendation: The Immigration and Naturalization Service (INS) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. INS may find the forthcoming NBS Special Publication 500-153 useful in this analysis. INS should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of INS information security plans required by the Computer Security Act of 1987.

    Agency Affected: Department of Justice: Immigration and Naturalization Service

  4. Status: Closed - Implemented

    Comments: FAA has established a policy that requires security reviews of system specifications to ensure that systems are developed with appropriate security controls. FAA submitted National Airspace System development efforts to a checklist, containing system security as a key component.

    Recommendation: The Federal Aviation Administration (FAA) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. FAA may find the forthcoming NBS Special Publication 500-153 useful in this analysis. FAA should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of FAA information security plans required by the Computer Security Act of 1987.

    Agency Affected: Department of Transportation: Federal Aviation Administration

  5. Status: Closed - Implemented

    Comments: As of May 10, 1989, all of the agencies, with the exception of NIST, OMB, and INS, had: (1) complied with the GAO recommendations; (2) met the minimum requirements of the Computer Security Act of 1987; and (3) submitted their computer security plans, which reflect their compliance.

    Recommendation: The U.S. Customs Service should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. Customs may find the forthcoming NBS Special Publication 500-153 useful in this analysis. Customs should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of Customs information security plans required by the Computer Security Act of 1987.

    Agency Affected: Department of the Treasury: United States Customs Service

  6. Status: Closed - Implemented

    Comments: FmHA based its policies and procedures, as appropriate, on the guidance "Model Framework for Management Control Over Automated Information Systems" provided by the President's Council on Management Improvement and Integrity and Efficiency (January 1988). These policies were used in reviewing systems under development.

    Recommendation: The Farmers Home Administration (FmHA) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. FmHA may find the forthcoming NBS Special Publication 500-153 useful in this analysis. FmHA should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of FmHA information security plans required by the Computer Security Act of 1987.

    Agency Affected: Department of Agriculture: Farmers Home Administration

  7. Status: Closed - Implemented

    Comments: Policies regarding information systems development and use were modified to consider security controls during the design and development of DOE information systems. The modified policies formed the basis for one of the objectives of the reviews of systems under development.

    Recommendation: The Department of Energy (DOE) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. DOE may find the forthcoming NBS Special Publication 500-153 useful in this analysis. DOE should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of DOE information security plans required by the Computer Security Act of 1987.

    Agency Affected: Department of Energy

  8. Status: Closed - Implemented

    Comments: SSA had included security standards in five of the eight stages in the systems development life cycle (SDLC) prescribed in its Software Engineering Technology (SET) manuals. During FY 1989, SSA completed the remaining three stages with security standards. SSA compared its SDLC security requirements against those in the GAO report and adjusted, as necessary.

    Recommendation: The Social Security Administration (SSA) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. SSA may find the forthcoming NBS Special Publication 500-153 useful in this analysis. SSA should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of SSA information security plans required by the Computer Security Act of 1987.

    Agency Affected: Social Security Administration

  9. Status: Closed - Implemented

    Comments: The Office of Systems Planning, Policy and Acquisition Control has completed its review of agency policy and included security and internal controls in VA life-cycle management policies. A review for security issues for systems under development was conducted and the results were incorporated in the security plans required by the Computer Security Act of 1987.

    Recommendation: The Veterans Administration (VA) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. VA may find the forthcoming NBS Special Publication 500-153 useful in this analysis. VA should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of VA information security plans required by the Computer Security Act of 1987.

    Agency Affected: Veterans Administration

  10. Status: Closed - Implemented

    Comments: Because of the National Institute for Standards and Technology's (NIST) increased work load and time involved in reviewing the computer security plans for agencies, it is providing advice and comments on the plans, and lack of resources (staff and funding). The House Committee on Science, Space, and Technology support NIST status quo and will support additional funding requests.

    Recommendation: The National Institute of Standards and Technology should, pursuant to its responsibilities under the Computer Security Act of 1987 and in consultation with the appropriate agencies, perform a comprehensive reassessment and revision of the system development standards and guidelines needed by agencies to ensure cost-effective protection of sensitive information in federal computer systems under development.

    Agency Affected: Department of Commerce: National Institute of Standards and Technology

  11. Status: Closed - Implemented

    Comments: IRS obtained assistance from the Federal Computer Performance Evaluation and Simulation Center in: (1) reviewing federal and Treasury requirements for information systems security and control; (2) documenting IRS implementation of an information system's security program; and (3) developing an action plan ensuring that proper controls are put in place and in the area of tax system redesign.

    Recommendation: The Internal Revenue Service (IRS) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. IRS may find the forthcoming NBS Special Publication 500-153 useful in this analysis. IRS should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of IRS information security plans required by the Computer Security Act of 1987.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 26, 2016

Sep 15, 2016

Sep 14, 2016

Sep 8, 2016

Jun 29, 2016

Jun 22, 2016

Jun 10, 2016

Jun 9, 2016

Jun 2, 2016

May 25, 2016

Looking for more? Browse all our products here